Open crinitic opened 4 years ago
I am also getting this issue - let me know if you find a solution
Hi Guys, sorry for the late response. We are in holiday these days. For your question, your request doesn't include a valid Authentication header value.
The value should be correctly generated.
Here is value provided in your curl request.
Authorization: SharedKey devstoreaccount1:Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==
Here is the value Azurite expected:
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: BlobSharedKeyAuthenticator:validate() Calculated authentication header based on key1: SharedKey devstoreaccount1:/S7T6ds2y+Gd7wYbOo7ljAx6dJCs0ub4jjvCFkOju9s=
@XiaoningLiu why does it expect that? The README.md says the default key is: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==
Edit: I tried
curl -X PUT http://127.0.0.1:10000/devstoreaccount1/pictures?restype=container -H "Authorization: SharedKey devstoreaccount1:/S7T6ds2y+Gd7wYbOo7ljAx6dJCs0ub4jjvCFkOju9s="
But still get a 403
Authentication key header is dynamically generated every time. You can find out what Azurite expects in debug.log. Not recommend to use curl for debug with sharedkey. Try Azure Storage SDKs or Azure Storage Explorer.
Can you point me to the documentation on this. Surely curl is the easiest way to see what is actually going on?
@XiaoningLiu any update on this it's preventing us from using the new version of azurite
Hi @XiaoningLiu Any updates on this? I am trying to use both curl and postman. However i always get 403
Since this is really a local dev simulation, why not just make is simple enough?
Could you please help us in constructing the curl url or postman request and have it as an example?
Thank you very much
@XiaoningLiu @lincolnu I tried with legacy azurite Azurite, Version 2.6.5 and it works as expected. Is there any reason why it does not work with V3?
I had the same issue. And after I used the shared key that @XiaoningLiu pointed in the logs it worked. (Thanks) Is there a way to get this key from an endpoint call?
SharedKey authentication is one of critical features Azurite provides (instead of ignoring authentication) and aligns with Azure Storage. Refer to https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key about how does SharedKey works.
In the same time, you can use this SAS (generated from devstoreaccount1) if you need debug in Curl or Postman.
sv=2016-05-31&sig=SL1tiZVonWXUNfh93EQHCpz5DKYSeie5%2F7jeyK58yeI%3D&st=2018-12-17T06%3A10%3A39Z&se=2020-12-17T06%3A10%3A39Z&srt=sco&ss=bfqt&sp=racupwdl
Append above SAS parameters into your URL without providing Authentication header.
Tried this and stil get 403 response with v3 Azurite however if you go to Storage Explorer, right click your queue and click Get Shared Access Signature it will create you a URL that you can use
sending this request with the SAS from above and getting a 403
curl 'http://127.0.0.1:10000/devstoreaccount1?comp=list&sv=2016-05-31&sig=SL1tiZVonWXUNfh93EQHCpz5DKYSeie5%2F7jeyK58yeI%3D&st=2018-12-17T06%3A10%3A39Z&se=2020-12-17T06%3A10%3A39Z&srt=sco&ss=bfqt&sp=racupwdl'
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Error>
<Code>AuthorizationFailure</Code>
<Message>Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.
RequestId:40a2488c-44c6-4604-aa82-c869e29a4485
Time:2021-06-03T21:55:20.937Z</Message>
Hi,
Please create your own SAS , as the example from Xiaoning above is likely expired.
Thanks
Is there a fix on this :) ? Can not access from postman to a Table storage using the 'Get Shared Access Signature' menu to get the SAS (azurite ver. 3.15.0): http://127.0.0.1:10002/devstoreaccount1/Todo?st=2022-02-17T00%3A48%3A00Z&se=2022-03-01T00%3A48%3A00Z&sp=r&sv=2018-03-28&tn=todo&sig=Gj0TASrvZJYA84wHXqpiDJWR3s9Dn6aM68zTWFn%2BVkA%3D
Response 403 `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
AuthorizationFailure
@jorgembutron The original issue is on blob, and your issue is on table. Besides that, although they both report 403, they might have different root cause. Would you please open a new issue by follow the issue template, and share the Azurite debug log?
ty @blueww I will raise the issue
I am surprised how overcomplicated this is on MS side.
The format for the Authorization header is
Authorization="[SharedKey|SharedKeyLite] <AccountName>:<Signature>"
where:
- SharedKey or SharedKeyLite is the name of the authorization scheme
- AccountName is the name of the account requesting the resource
- Signature is a Hash-based Message Authentication Code (HMAC) constructed from the request and computed by using the SHA256 algorithm, and then encoded by using Base64 encoding.
I am surprised how overcomplicated this is on MS side.
The format for the Authorization header is
Authorization="[SharedKey|SharedKeyLite] <AccountName>:<Signature>"
where:
- SharedKey or SharedKeyLite is the name of the authorization scheme
- AccountName is the name of the account requesting the resource
- Signature is a Hash-based Message Authentication Code (HMAC) constructed from the request and computed by using the SHA256 algorithm, and then encoded by using Base64 encoding.
With a process so complex, it'd be nice to see a concrete start-to-finish example with Azurite's default account and key, including exactly what each piece of the data should be at each point in the process.
Hi @david-sledge ,
Here is a sample on how to sign blob request in JS: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/src/policies/StorageSharedKeyCredentialPolicy.ts#L43
You'd need to do the same within you script to send request with curl.
Thanks Emma
Looks like this is a good example for both Azure and Azurite REST API references to construct curl/postman requests: https://learn.microsoft.com/en-us/rest/api/storageservices/get-blob-metadata?tabs=microsoft-entra-id
This makes it impossible to do like for like testing for use cases where the azure blob store is readable to the public without authentication
@robinbryce
This issue is originally for create container API, which must need authentication (the way customer to calculate the signature is wrong, which will also fail on public azure). The original issue is different than your scenario of read blob without credential. If you would like to read blob without authentication, you need first set your container public access to blob or container (this will need credential), then read blob from that container without authentication. This is also the same case on public azure.
Thanks for the quick response. That makes sense. In a typical scenario the container permissions are managed by infrastructure. As far as the run time is concerened it's done before the show. But yes, I see you are right, that is all going via the regular rest api so is consistent with production use.
in the quick start where it sais "Authentication is required, and Azurite supports authorization with OAuth, Shared Key ..." A single scentence along the lines of "With initialy authenticated requests, container public read access may be configured in the normal way ref-to-api" would have helped.
Thanks though!
Any change to this? Can authentication be disabled? Need it for testing durable functions locally and in pipeline without all the newly introduced complexities.
@nikolaidk
Azurite is an Azure Storage API emulator. Since public Azure storage need authentication, we don't plan to disable authentication in Azurite.
If you really would like to disable authentication in Azurite, you might can clone Azurite repo to local machine, modify Azurite code to disable it and build you own private Azurite. Like blob authentication code all in : https://github.com/Azure/Azurite/tree/main/src/blob/authentication And follow this guild to build you private Azurite from local code https://github.com/Azure/Azurite?tab=readme-ov-file#github
Hi, @blueww @EmmaZhu I'm trying to create a container using account SAS authentication, but I get an AuthorisationFailure back.
Azurite-Blob/3.30.0
DockerHub
curl -v -X PUT
http://127.0.0.1/devstoreaccount1/container-name2?restype=container&se=2025-06-10T01%3A21Z&sp=rwdlc&sv=2022-11-02&ss=b&srt=sco&sig=%2BWlfwhjl%2FL1Um2lrHR%2F1CIjbFO8T3k4a2FfISIwMcjI%3D
After starting docker in WSL2, execute the following bash
# Storage account information.
account_name="devstoreaccount1"
account_key="Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
# Set parameters for SAS tokens
sv="2022-11-02" # service version
ss="b" # service (b = Blob, q = Queue, t = Table, f = File)
srt="sco" # Resource type (s = service, c = container, o = object)
sp="rwdlc" # Permissions (read, write, delete, list, add, create, update, process)
se=$(date -u -d "1 years" '+%Y-%m-%dT%H:%MZ') # effective date
st=$(date -u '+%Y-%m-%dT%H:%MZ') # Start time
# Creating a signature string
string_to_sign="${account_name}\n${sp}\n${ss}\n${srt}\n${st}\n${se}\n\n\n${sv}\n"
decoded_key=$(echo -n "${account_key}" | base64 -d)
# Generate signatures using HMAC-SHA256
signature=$(printf "${string_to_sign}" | openssl dgst -sha256 -hmac "$decoded_key" -binary)
# Base64 encoded signature
signature=$(echo -n "${signature}" | base64)
# URL encoding
sig=$(echo -n "${signature}" | jq -s -R -r @uri)
se=$(printf %s "$se" | jq -s -R -r @uri)
# Completed SAS tokens.
sas_token="se=${se}&sp=${sp}&sv=${sv}&ss=${ss}&srt=${srt}&sig=${sig}"
# Creating containers
container_name="container-name2"
# Request to create a container.
curl -v -X PUT "http://127.0.0.1:10000/devstoreaccount1/${container_name}?restype=container&${sas_token}"
No
Logs
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: BlobStorageContextMiddleware: RequestMethod=PUT RequestURL=http://127.0.0.1/devstoreaccount1/container-name2?restype=container&se=2025-06-10T01%3A21Z&sp=rwdlc&sv=2022-11-02&ss=b&srt=sco&sig=%2BWlfwhjl%2FL1Um2lrHR%2F1CIjbFO8T3k4a2FfISIwMcjI%3D RequestHeaders:{"host":"127.0.0.1:10000","user-agent":"curl/7.81.0","accept":"*/*"} ClientIP=172.17.0.1 Protocol=http HTTPVersion=1.1
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: BlobStorageContextMiddleware: Account=devstoreaccount1 Container=container-name2 Blob=
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b verbose: DispatchMiddleware: Dispatching request...
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: DispatchMiddleware: Operation=Container_Create
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b verbose: AuthenticationMiddlewareFactory:createAuthenticationMiddleware() Validating authentications.
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: PublicAccessAuthenticator:validate() Start validation against public access.
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: PublicAccessAuthenticator:validate() Getting account properties...
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: PublicAccessAuthenticator:validate() Retrieved account name from context: devstoreaccount1, container: container-name2, blob:
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: PublicAccessAuthenticator:validate() Skip public access authentication. Cannot get public access type for container container-name2
2024-06-10T01:21:33.560Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: BlobSharedKeyAuthenticator:validate() Start validation against account shared key authentication.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: BlobSharedKeyAuthenticator:validate() Request doesn't include valid authentication header. Skip shared key authentication.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: AccountSASAuthenticator:validate() Start validation against account Shared Access Signature pattern.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: AccountSASAuthenticator:validate() Getting account properties...
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: AccountSASAuthenticator:validate() Retrieved account name from context: devstoreaccount1, container: container-name2, blob:
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: AccountSASAuthenticator:validate() Got account properties successfully.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: AccountSASAuthenticator:validate() Retrieved signature from URL parameter sig: +Wlfwhjl/L1Um2lrHR/1CIjbFO8T3k4a2FfISIwMcjI=
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: AccountSASAuthenticator:validate() Successfully got valid account SAS values from request. {"version":"2022-11-02","expiryTime":"2025-06-10T01:21Z","permissions":"rwdlc","services":"b","resourceTypes":"sco"}
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: AccountSASAuthenticator:validate() Validate signature based account key1.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: AccountSASAuthenticator:validate() String to sign is: "devstoreaccount1\nrwdlc\nb\nsco\n\n2025-06-10T01:21Z\n\n\n2022-11-02\n\n"
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: AccountSASAuthenticator:validate() Calculated signature is: FWN3aG/hCq6K3niladEMv3bjgY445O5ls8qKteAlF54=
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: AccountSASAuthenticator:validate() Signature based on key1 validation failed.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: BlobSASAuthenticator:validate() Start validation against blob service Shared Access Signature pattern.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: BlobSASAuthenticator:validate() Getting account properties...
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: BlobSASAuthenticator:validate() Retrieved account name from context: devstoreaccount1, container: container-name2, blob:
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: BlobSASAuthenticator:validate() Got account properties successfully.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: BlobSASAuthenticator:validate() Retrieved signature from URL parameter sig: +Wlfwhjl/L1Um2lrHR/1CIjbFO8T3k4a2FfISIwMcjI=
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b debug: BlobSASAuthenticator:validate() Signed resource type undefined is invalid. Skip blob service SAS validation.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b error: ErrorMiddleware: Received a MiddlewareError, fill error information to HTTP response
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b error: ErrorMiddleware: ErrorName=StorageError ErrorMessage=Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature. ErrorHTTPStatusCode=403 ErrorHTTPStatusMessage=Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature. ErrorHTTPHeaders={"x-ms-error-code":"AuthorizationFailure","x-ms-request-id":"0b48aef4-e376-4d29-adf6-e361f6a0fa9b"} ErrorHTTPBody="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<Error>\n <Code>AuthorizationFailure</Code>\n <Message>Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.\nRequestId:0b48aef4-e376-4d29-adf6-e361f6a0fa9b\nTime:2024-06-10T01:21:33.561Z</Message>\n</Error>" ErrorStack="StorageError: Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.\n at StorageErrorFactory.getAuthorizationFailure (/opt/azurite/dist/src/blob/errors/StorageErrorFactory.js:137:16)\n at /opt/azurite/dist/src/blob/middlewares/AuthenticationMiddlewareFactory.js:25:56\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b error: ErrorMiddleware: Set HTTP code: 403
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b error: ErrorMiddleware: Set HTTP status message: Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b error: ErrorMiddleware: Set HTTP Header: x-ms-error-code=AuthorizationFailure
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b error: ErrorMiddleware: Set HTTP Header: x-ms-request-id=0b48aef4-e376-4d29-adf6-e361f6a0fa9b
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b error: ErrorMiddleware: Set content type: application/xml
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b error: ErrorMiddleware: Set HTTP body: "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<Error>\n <Code>AuthorizationFailure</Code>\n <Message>Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.\nRequestId:0b48aef4-e376-4d29-adf6-e361f6a0fa9b\nTime:2024-06-10T01:21:33.561Z</Message>\n</Error>"
2024-06-10T01:21:33.561Z 0b48aef4-e376-4d29-adf6-e361f6a0fa9b info: EndMiddleware: End response. TotalTimeInMS=2 StatusCode=403 StatusMessage=Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature. Headers={"server":"Azurite-Blob/3.30.0","x-ms-error-code":"AuthorizationFailure","x-ms-request-id":"0b48aef4-e376-4d29-adf6-e361f6a0fa9b","content-type":"application/xml"}
@yangsirgo
From the debug log we can see, the SAS signature of your request is not aligned with the signature Azurite calculated. Azurite use the stringTosign as "devstoreaccount1\nrwdlc\nb\nsco\n\n2025-06-10T01:21Z\n\n\n2022-11-02\n\n".
Please make sure the SAS you use is valid. How you generate the SAS, if you use storage SDK or tools, normally the SAS token should be valid.
Thank you very much, I found the problem. The parameters in the SAS URI section must be consistent with the stringTosign key value of the signature.
Thanks Yang
Which service(blob, file, queue, table) does this issue concern?
Blob
Which version of the Azurite was used?
3.4.0
Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)
npm
What's the Node.js version?
13.3.0
What problem was encountered?
When I try to use azurite through the REST API, I keep getting a AuthorizationFailure response
Steps to reproduce the issue?
I try to create a container with the following call:
And get the following response:
Have you found a mitigation/solution?
No
Logs